时间又过去了两年,两年间发生了太多的事情,前两篇的内容都受到了不同程度的破坏,尽管 bearer token + guest token 的模式还能继续走下去,但也是时候找一个备用的方案了。
Guest Account
跟网页端用 guest_token 不一样,未登录帐号的的客户端使用的是一种拥有较低访问权限的临时账号:能同时使用多数客户端以及网页的端点,部分端点还拥有较高的 rate limit,具体情况请参考Rate limit status。同时根据Twitter Developer Platform的说法: Access tokens are not explicitly expired,这种帐号的令牌一经签发,理论上永久有效。 经过实际测试,有效期为一个月左右。
但是,这些帐号并不是无敌的,短期内多次发送请求会导致对应账号失去全部时间线相关(包括但不限于 时间线、带回复时间线、单条推文、搜索、列表以及社群)端点的访问权限一天;每天能获取到这些帐号的数量也是随机的,一般每天每 ip 可以获取到20个左右,近期没访问过 Twitter 的 ip 可以获取到上百甚至几百个,但大量获取的后果是 ip 被拉黑,后面几天可能一个号都获取不到。
我测试时循环(没有停顿)六七次不行了,调用搜索的接口会死得更快,同一ip多死几个号以后,后面的请求基本上是一个临时号一天只能用一次,第二次就被搞。@banka
客户端
为了避免出现意外,我选择的是七月出事前的最后一个版本 9.95.0-release.0,设备是刷了“最新” OxygenOS(Android 9) 的 OnePlus 3T,root 和安装证书可以参考 在 Android 9 的设备抓包,实际上根据 Nitter 的 issue,直到 10.1 都还支持这一特性。
Consumer key & secret
由于我早就通过其他渠道拿到了 consumer key 和 consumer secret,所以这里只不过是照着结论推过程。
由于这段是写完后面的内容再写的,外加 consumer key 和 consumer secret 是固定的,所以我只是随便在网上找了一个 apk 文件放到 JADX 拆包,拆包后的变量名可能会跟我这里不一样
⚠ 我不确定这段在未来会不会被相关人士要求删除
- 直接搜索关键字
/oauth2/token,可能会什么都没有,但正常情况至少会有一个结果Node defpackage.qvb.b() yec<yg, TwitterErrors>aVar.m("/oauth2/token", "/")... ... - 简单分析一下逻辑就会发现
dk1.c()用于计算base64,那g和g2就分别是consumer key和consumer secretpublic final class qvb extends d1m<yg, TwitterErrors> { public yg Z2; public final mhi a3; public qvb() { String str = gst.d; this.a3 = new mhi(r3d.b().A1()); f(); } @Override // defpackage.d1m, defpackage.pec, defpackage.zv0, defpackage.cw0, defpackage.xec public final yec<yg, TwitterErrors> b() { vvf.c cVar = new vvf.c(yg.class); tdc.a aVar = new tdc.a(); aVar.m("/oauth2/token", "/"); int i = uji.a; cec Z = Z(aVar.j().a(mqt.a())); Z.h = bec.b.x; Z.j = cVar; Z.b(h6f.q(new xt1("grant_type", "client_credentials"))); bec d = Z.d(); rhi rhiVar = this.a3.a; String g = rs1.g(rhiVar.a); String g2 = rs1.g(rhiVar.b); d.B("Authorization", "Basic ".concat(dk1.c((g + ":" + g2).getBytes()))); d.d(); if (d.w()) { this.Z2 = (yg) cVar.c; } return yec.a(d, cVar); } @Override // defpackage.pec, defpackage.xec public final String m() { return mqt.a().b; } } - 再往上分析就找到下面这一段,简单合并一下就出来了
package defpackage; /* compiled from: Twttr */ /* renamed from: gst reason: default package */ /* loaded from: classes5.dex */ public final class gst extends ust { public static final String d; public static final String e; static { byte[] bArr = {-29, -88, -64, -95, -61, -89, -44, -68, -88, -98, -32, -63, -30, -96, -100, -63, -98, -80, -31, -97}; byte[] bArr2 = {-44, -77, -93, -31, -35, -47, -48, -76, -76, -93, -78, -48, -32, -61, -86, -35, -56, -81, -33, -27, -93, -87, -81, -61, -94, -65, -47, -49, -97, -66, -66, -53, -61, -84, -67, -96, -58, -64, -94, -33, -91, -99, -93}; StringBuilder sb = new StringBuilder(20); for (int i = 0; i < 20; i++) { sb.append((char) (22 - bArr[i])); } d = sb.toString(); StringBuilder sb2 = new StringBuilder(43); for (int i2 = 0; i2 < 43; i2++) { sb2.append((char) (22 - bArr2[i2])); } e = sb2.toString(); } public gst() { super(d, e); } }
Bearer token
跟网页版一样,这个 bearer token 理论上是不会变的,更多关于这个令牌的信息请看这里:
// 环境要求,下同
// Node v18.15.0 / Deno / Bun...
const TW_CONSUMER_KEY = '3nVuSoBZnx6U4vzUxf5w'
const TW_CONSUMER_SECRET = 'Bcs59EFbbsdF6Sl9Ng71smgStWEGwXXKSjYvPVt7qys'
const TW_ANDROID_BASIC_TOKEN = `Basic ${btoa(TW_CONSUMER_KEY+':'+TW_CONSUMER_SECRET)}`
const getBearerToken = async () => {
const tmpTokenResponse = await (await fetch('https://api.twitter.com/oauth2/token', {
headers: {
Authorization: TW_ANDROID_BASIC_TOKEN,
'Content-Type': 'application/x-www-form-urlencoded'
},
method: 'post',
body: 'grant_type=client_credentials'
})).json()
return Object.values(tmpTokenResponse).join(" ")
}
const bearer_token = await getBearerToken()
// Bearer AAAAAAAAAAAAAAAAAAAAAFXzAwAAAAAAMHCxpeSDG1gLNLghVe8d74hl6k4%3DRUMF4xAQLsbeBhTSRrCiQpJtxoGWeyHrDb5te2jpGskWDFW82F
oauth_token & oauth_token_secret
这里用到的 bearer_token 在前面获得
取得 Guest token
const guest_token = (await (await fetch("https://api.twitter.com/1.1/guest/activate.json", {
headers: {
Authorization: bearer_token
},
method: "post"
})).json()).guest_token
取得第一个 flow_token
const flow_token = (await (await fetch('https://api.twitter.com/1.1/onboarding/task.json?flow_name=welcome&api_version=1&known_device_token=&sim_country_code=us', {
headers: {
Authorization: bearer_token,
'Content-Type': 'application/json',
'User-Agent': 'TwitterAndroid/9.95.0-release.0 (29950000-r-0) ONEPLUS+A3010/9 (OnePlus;ONEPLUS+A3010;OnePlus;OnePlus3;0;;1;2016)',
'X-Twitter-API-Version': 5,
'X-Twitter-Client': 'TwitterAndroid',
'X-Twitter-Client-Version': '9.95.0-release.0',
'OS-Version': '28',
'System-User-Agent': 'Dalvik/2.1.0 (Linux; U; Android 9; ONEPLUS A3010 Build/PKQ1.181203.001)',
'X-Twitter-Active-User': 'yes',
'X-Guest-Token': guest_token
},
method: 'post',
body: '{"flow_token":null,"input_flow_data":{"country_code":null,"flow_context":{"start_location":{"location":"splash_screen"}},"requested_variant":null,"target_user_id":0},"subtask_versions":{"generic_urt":3,"standard":1,"open_home_timeline":1,"app_locale_update":1,"enter_date":1,"email_verification":3,"enter_password":5,"enter_text":5,"one_tap":2,"cta":7,"single_sign_on":1,"fetch_persisted_data":1,"enter_username":3,"web_modal":2,"fetch_temporary_password":1,"menu_dialog":1,"sign_up_review":5,"interest_picker":4,"user_recommendations_urt":3,"in_app_notification":1,"sign_up":2,"typeahead_search":1,"user_recommendations_list":4,"cta_inline":1,"contacts_live_sync_permission_prompt":3,"choice_selection":5,"js_instrumentation":1,"alert_dialog_suppress_client_events":1,"privacy_options":1,"topics_selector":1,"wait_spinner":3,"tweet_selection_urt":1,"end_flow":1,"settings_list":7,"open_external_link":1,"phone_verification":5,"security_key":3,"select_banner":2,"upload_media":1,"web":2,"alert_dialog":1,"open_account":2,"action_list":2,"enter_phone":2,"open_link":1,"show_code":1,"update_users":1,"check_logged_in_account":1,"enter_email":2,"select_avatar":4,"location_permission_prompt":2,"notifications_permission_prompt":4}}'
})).json()).flow_token
//g;4174100000134946:-1691400000588:S0Jot3jIr00000M23lT3jJCk:0
得到帐号 or 失败结束
const subtasks = (await (await fetch('https://api.twitter.com/1.1/onboarding/task.json', {
headers: {
Authorization: bearer_token,// Bearer ...
'Content-Type': 'application/json',
'User-Agent': 'TwitterAndroid/9.95.0-release.0 (29950000-r-0) ONEPLUS+A3010/9 (OnePlus;ONEPLUS+A3010;OnePlus;OnePlus3;0;;1;2016)',
'X-Twitter-API-Version': 5,
'X-Twitter-Client': 'TwitterAndroid',
'X-Twitter-Client-Version': '9.95.0-release.0',
'OS-Version': '28',
'System-User-Agent': 'Dalvik/2.1.0 (Linux; U; Android 9; ONEPLUS A3010 Build/PKQ1.181203.001)',
'X-Twitter-Active-User': 'yes',
'X-Guest-Token': guest_token
},
method: 'post',
// 下一行的 `flow_token` 就是上一项获得的那个
body: '{"flow_token":"' + flow_token + '","subtask_inputs":[{"open_link":{"link":"next_link"},"subtask_id":"NextTaskOpenLink"}],"subtask_versions":{"generic_urt":3,"standard":1,"open_home_timeline":1,"app_locale_update":1,"enter_date":1,"email_verification":3,"enter_password":5,"enter_text":5,"one_tap":2,"cta":7,"single_sign_on":1,"fetch_persisted_data":1,"enter_username":3,"web_modal":2,"fetch_temporary_password":1,"menu_dialog":1,"sign_up_review":5,"interest_picker":4,"user_recommendations_urt":3,"in_app_notification":1,"sign_up":2,"typeahead_search":1,"user_recommendations_list":4,"cta_inline":1,"contacts_live_sync_permission_prompt":3,"choice_selection":5,"js_instrumentation":1,"alert_dialog_suppress_client_events":1,"privacy_options":1,"topics_selector":1,"wait_spinner":3,"tweet_selection_urt":1,"end_flow":1,"settings_list":7,"open_external_link":1,"phone_verification":5,"security_key":3,"select_banner":2,"upload_media":1,"web":2,"alert_dialog":1,"open_account":2,"action_list":2,"enter_phone":2,"open_link":1,"show_code":1,"update_users":1,"check_logged_in_account":1,"enter_email":2,"select_avatar":4,"location_permission_prompt":2,"notifications_permission_prompt":4}}'
})).json()).subtasks
const account = subtasks.find(task => task.subtask_id === 'OpenAccount')?.open_account
console.log(account)
如果这里是 undefined 的话可能是下面两种情况:
- 意味着 ip 很不幸地被限制了,建议换一个 ip 或者过几天再来。
通过滥用大厂的云服务来刷访客帐号是很难的,至少在 CloudFlare workers 是做不到的 - 帐号创建流程被卡住了,需要过一会(数秒到数分钟不等)再进行一次同样的请求
Also for account creation I can't workout whether there is some fundamental delay in generation of the oauth guest accounts requiring a second call to the open_link to get an account open or whether it's the rotation of IP that does it but you can go through patches of accounts opening right away and sometimes requiring 3+ calls for it to happen. @ImTheDeveloper
Sometimes it appears there is a delay in the creation of the account so you need to wait a few seconds/minutes and then it will create if you call the next_link again. @ImTheDeveloper
如果这里得到了一个对象,那这个 account 对象就差不多长下面这样
{
"user": {
"id": 168862000062124800,
"id_str": "168862000062124800",
"name": "Open App User",
"screen_name": "_LO_08072W00Z6G",
"user_type": "Soft"
},
"next_link": {
"link_type": "subtask",
"link_id": "next_link",
"subtask_id": "OpenAppFlowStartAccountSetupOpenLink"
},
"oauth_token": "168862000062124800-yOxTZxJc4nKGGJ0lik000069JgJJX",
"oauth_token_secret": "PSrSIwXo0000RvWvcwQ0000dLgay0000NbpvSztF6n",
"attribution_event": "signup"
}
screen_name 的结构是 _LO_ + 当天日期 + 7位随机大小写字母或数字
建议记录 oauth_token, oauth_token_secret, screen_name。
uid 记不记无所谓,这类账号是无法通过 uid 或 screen_name 来查找的
创建 OAuth 签名
参考 Creating a signature 即可
大概原理就是给 payload 排序后合并成字符串然后算 HMAC-SHA1,最简单的办法就是去找个算 OAuth 签名的包
// browser
const buffer_to_base64 = buf => {
let binary = '';
const bytes = new Uint8Array(buf);
for (var i = 0; i < bytes.byteLength; i++) {
binary += String.fromCharCode(bytes[i]);
}
return btoa(binary)
}
// Node.js
const buffer_to_base64 = buf => buf.toString('base64')
// The oauth_nonce parameter is a unique token your application should generate for each unique request. Twitter will use this value to determine whether a request has been submitted multiple times. The value for this request was generated by base64 encoding 32 bytes of random data, and stripping out all non-word characters, but any approach which produces a relatively random alphanumeric string **should be OK** here.
// So just fill in any value you want.
const getOauthAuthorization = async (oauth_token, oauth_token_secret, method = 'GET', url = '', body = '', timestamp = Math.floor(Date.now() / 1000), oauth_nonce = btoa(new Array(2).fill(Math.random().toString()).join('').slice(4)).replaceAll('+', '').replaceAll('/', '').replaceAll('=', '')) => {
if (!url) {
return ''
}
method = method.toUpperCase()
const parseUrl = new URL(url)
const link = parseUrl.origin + parseUrl.pathname
const payload = [...parseUrl.searchParams.entries()]
if (body) {
let isJson = false
try {
JSON.parse(body)
isJson = true
} catch (e) {}
if (!isJson) {
payload.push(...new URLSearchParams(body).entries())
}
}
payload.push(['oauth_version', '1.0'])
payload.push(['oauth_signature_method', 'HMAC-SHA1'])
payload.push(['oauth_consumer_key', TW_CONSUMER_KEY])
payload.push(['oauth_token', oauth_token])
payload.push(['oauth_nonce', oauth_nonce])
payload.push(['oauth_timestamp', String(timestamp)])
const forSign =
method + '&' + encodeURIComponent(link) + '&' + new URLSearchParams(payload.sort((a, b) => (a[0] > b[0] ? 1 : a[0] < b[0] ? -1 : 0))).toString().replaceAll('+', '%20').replaceAll('%', '%25').replaceAll('=', '%3D').replaceAll('&', '%26')
let key = await crypto.subtle.importKey("raw", new TextEncoder('utf-8').encode(TW_CONSUMER_SECRET + '&' + (oauth_token_secret ? oauth_token_secret : '')), { name: "HMAC", hash: "SHA-1" }, false, ["sign", "verify"])
let sign = await crypto.subtle.sign('HMAC', key, new TextEncoder('utf-8').encode(forSign))
return {
method,
url,
parse_url: parseUrl,
timestamp,
oauth_nonce,
oauth_token,
oauth_token_secret,
oauth_consumer_key: TW_CONSUMER_KEY,
oauth_consumer_secret: TW_CONSUMER_SECRET,
payload,
sign: buffer_to_base64(sign)
}
}
const OAuthSign = getOauthAuthorization(account.oauth_token, account.oauth_token_secret, 'GET', "https://api.twitter.com/graphql/G8jKRx5LiyrRDs5FcsUjsw/SearchTimeline?variables=%7B%22includeTweetImpression%22%3Atrue%2C%22query_source%22%3A%22typed_query%22%2C%22includeHasBirdwatchNotes%22%3Afalse%2C%22includeEditPerspective%22%3Afalse%2C%22includeEditControl%22%3Atrue%2C%22query%22%3A%22aaaa%22%2C%22timeline_type%22%3A%22Top%22%7D&features=%7B%22longform_notetweets_inline_media_enabled%22%3Atrue%2C%22super_follow_badge_privacy_enabled%22%3Atrue%2C%22longform_notetweets_rich_text_read_enabled%22%3Atrue%2C%22super_follow_user_api_enabled%22%3Atrue%2C%22unified_cards_ad_metadata_container_dynamic_card_content_query_enabled%22%3Atrue%2C%22super_follow_tweet_api_enabled%22%3Atrue%2C%22android_graphql_skip_api_media_color_palette%22%3Atrue%2C%22creator_subscriptions_tweet_preview_api_enabled%22%3Atrue%2C%22freedom_of_speech_not_reach_fetch_enabled%22%3Atrue%2C%22creator_subscriptions_subscription_count_enabled%22%3Atrue%2C%22tweetypie_unmention_optimization_enabled%22%3Atrue%2C%22longform_notetweets_consumption_enabled%22%3Atrue%2C%22subscriptions_verification_info_enabled%22%3Atrue%2C%22blue_business_profile_image_shape_enabled%22%3Atrue%2C%22tweet_with_visibility_results_prefer_gql_limited_actions_policy_enabled%22%3Atrue%2C%22super_follow_exclusive_tweet_notifications_enabled%22%3Atrue%7D") // 如果是 POST 还需要提供 body
const authorization = `OAuth realm="http://api.twitter.com/", oauth_version="1.0", oauth_token="${OAuthSign.oauth_token}", oauth_nonce="${OAuthSign.oauth_nonce}", oauth_timestamp="${OAuthSign.timestamp}", oauth_signature="${encodeURIComponent(OAuthSign.sign)}", oauth_consumer_key="${OAuthSign.oauth_consumer_key}", oauth_signature_method="HMAC-SHA1"`
其中,realm 是固定不变的 http://api.twitter.com/;当 body 不是 application/x-www-form-urlencoded 时 body 无需参与计算
在后续的请求里面这个 authorization 的值将会替代 bearer_token
如果感觉还是不太明白可以查看 在线签名页面 直接上手体验
*queryId & featureSwitches
*请注意这部分只是提取用于 Twitter Monitor 的 queryId 和 featureSwitches,并不是所有人都需要用到的,除非你需要精细控制一些内容的特性。一般情况下这部分内容只需要当成字符串粘贴即可
由于实在看不下去 Java 源码,我只写了个脚本一键从抓包的请求里面提取并给转换成跟 web 版差不多的格式
// 这里只列了我需要用的,其他可以自行抓包添加
const list = [
'https://na.albtls.t.co/graphql/oPppcargziU1uDQHAUmH-A/UserResultByIdQuery?variables=%7B%22include_smart_block%22%3Atrue%2C%22includeTweetImpression%22%3Atrue%2C%22includeTranslatableProfile%22%3Atrue%2C%22includeHasBirdwatchNotes%22%3Afalse%2C%22include_tipjar%22%3Atrue%2C%22include_highlights_info%22%3Atrue%2C%22includeEditPerspective%22%3Afalse%2C%22include_reply_device_follow%22%3Atrue%2C%22includeEditControl%22%3Atrue%2C%22include_verified_phone_status%22%3Afalse%2C%22rest_id%22%3A%22780211%22%7D&features=%7B%22verified_phone_label_enabled%22%3Afalse%2C%22creator_subscriptions_subscription_count_enabled%22%3Atrue%2C%22super_follow_badge_privacy_enabled%22%3Atrue%2C%22subscriptions_verification_info_enabled%22%3Atrue%2C%22super_follow_user_api_enabled%22%3Atrue%2C%22blue_business_profile_image_shape_enabled%22%3Atrue%2C%22super_follow_exclusive_tweet_notifications_enabled%22%3Atrue%7D',
'https://na.albtls.t.co/graphql/3JNH4e9dq1BifLxAa3UMWg/UserWithProfileTweetsQueryV2?variables=%7B%22includeTweetImpression%22%3Atrue%2C%22includeHasBirdwatchNotes%22%3Afalse%2C%22includeEditPerspective%22%3Afalse%2C%22includeEditControl%22%3Atrue%2C%22count%22%3A20%2C%22rest_id%22%3A%222373%22%2C%22includeTweetVisibilityNudge%22%3Atrue%2C%22autoplay_enabled%22%3Atrue%7D&features=%7B%22longform_notetweets_inline_media_enabled%22%3Atrue%2C%22super_follow_badge_privacy_enabled%22%3Atrue%2C%22longform_notetweets_rich_text_read_enabled%22%3Atrue%2C%22super_follow_user_api_enabled%22%3Atrue%2C%22unified_cards_ad_metadata_container_dynamic_card_content_query_enabled%22%3Atrue%2C%22super_follow_tweet_api_enabled%22%3Atrue%2C%22android_graphql_skip_api_media_color_palette%22%3Atrue%2C%22creator_subscriptions_tweet_preview_api_enabled%22%3Atrue%2C%22freedom_of_speech_not_reach_fetch_enabled%22%3Atrue%2C%22creator_subscriptions_subscription_count_enabled%22%3Atrue%2C%22tweetypie_unmention_optimization_enabled%22%3Atrue%2C%22longform_notetweets_consumption_enabled%22%3Atrue%2C%22subscriptions_verification_info_enabled%22%3Atrue%2C%22blue_business_profile_image_shape_enabled%22%3Atrue%2C%22tweet_with_visibility_results_prefer_gql_limited_actions_policy_enabled%22%3Atrue%2C%22super_follow_exclusive_tweet_notifications_enabled%22%3Atrue%7D',
'https://api-0-5-0.twitter.com/graphql/8IS8MaO-2EN6GZZZb8jF0g/UserWithProfileTweetsAndRepliesQueryV2?variables=%7B%22includeTweetImpression%22%3Atrue%2C%22includeHasBirdwatchNotes%22%3Afalse%2C%22includeEditPerspective%22%3Afalse%2C%22includeEditControl%22%3Atrue%2C%22count%22%3A20%2C%22rest_id%22%3A%221449200000377%22%2C%22includeTweetVisibilityNudge%22%3Atrue%2C%22autoplay_enabled%22%3Atrue%7D&features=%7B%22longform_notetweets_inline_media_enabled%22%3Atrue%2C%22super_follow_badge_privacy_enabled%22%3Atrue%2C%22longform_notetweets_rich_text_read_enabled%22%3Atrue%2C%22super_follow_user_api_enabled%22%3Atrue%2C%22unified_cards_ad_metadata_container_dynamic_card_content_query_enabled%22%3Atrue%2C%22super_follow_tweet_api_enabled%22%3Atrue%2C%22android_graphql_skip_api_media_color_palette%22%3Atrue%2C%22creator_subscriptions_tweet_preview_api_enabled%22%3Atrue%2C%22freedom_of_speech_not_reach_fetch_enabled%22%3Atrue%2C%22creator_subscriptions_subscription_count_enabled%22%3Atrue%2C%22tweetypie_unmention_optimization_enabled%22%3Atrue%2C%22longform_notetweets_consumption_enabled%22%3Atrue%2C%22subscriptions_verification_info_enabled%22%3Atrue%2C%22blue_business_profile_image_shape_enabled%22%3Atrue%2C%22tweet_with_visibility_results_prefer_gql_limited_actions_policy_enabled%22%3Atrue%2C%22super_follow_exclusive_tweet_notifications_enabled%22%3Atrue%7D',
'https://api.twitter.com/graphql/G8jKRx5LiyrRDs5FcsUjsw/SearchTimeline?variables=%7B%22includeTweetImpression%22%3Atrue%2C%22query_source%22%3A%22typed_query%22%2C%22includeHasBirdwatchNotes%22%3Afalse%2C%22includeEditPerspective%22%3Afalse%2C%22includeEditControl%22%3Atrue%2C%22query%22%3A%22aaaa%22%2C%22timeline_type%22%3A%22Top%22%7D&features=%7B%22longform_notetweets_inline_media_enabled%22%3Atrue%2C%22super_follow_badge_privacy_enabled%22%3Atrue%2C%22longform_notetweets_rich_text_read_enabled%22%3Atrue%2C%22super_follow_user_api_enabled%22%3Atrue%2C%22unified_cards_ad_metadata_container_dynamic_card_content_query_enabled%22%3Atrue%2C%22super_follow_tweet_api_enabled%22%3Atrue%2C%22android_graphql_skip_api_media_color_palette%22%3Atrue%2C%22creator_subscriptions_tweet_preview_api_enabled%22%3Atrue%2C%22freedom_of_speech_not_reach_fetch_enabled%22%3Atrue%2C%22creator_subscriptions_subscription_count_enabled%22%3Atrue%2C%22tweetypie_unmention_optimization_enabled%22%3Atrue%2C%22longform_notetweets_consumption_enabled%22%3Atrue%2C%22subscriptions_verification_info_enabled%22%3Atrue%2C%22blue_business_profile_image_shape_enabled%22%3Atrue%2C%22tweet_with_visibility_results_prefer_gql_limited_actions_policy_enabled%22%3Atrue%2C%22super_follow_exclusive_tweet_notifications_enabled%22%3Atrue%7D',
'https://na.albtls.t.co/graphql/83h5UyHZ9wEKBVzALX8R_g/ConversationTimelineV2?variables=%7B%22referrer%22%3A%22profile%22%2C%22includeTweetImpression%22%3Atrue%2C%22includeHasBirdwatchNotes%22%3Afalse%2C%22isReaderMode%22%3Afalse%2C%22includeEditPerspective%22%3Afalse%2C%22includeEditControl%22%3Atrue%2C%22focalTweetId%22%3A167600000992%2C%22includeCommunityTweetRelationship%22%3Atrue%2C%22includeTweetVisibilityNudge%22%3Atrue%7D&features=%7B%22longform_notetweets_inline_media_enabled%22%3Atrue%2C%22super_follow_badge_privacy_enabled%22%3Atrue%2C%22longform_notetweets_rich_text_read_enabled%22%3Atrue%2C%22super_follow_user_api_enabled%22%3Atrue%2C%22unified_cards_ad_metadata_container_dynamic_card_content_query_enabled%22%3Atrue%2C%22super_follow_tweet_api_enabled%22%3Atrue%2C%22android_graphql_skip_api_media_color_palette%22%3Atrue%2C%22creator_subscriptions_tweet_preview_api_enabled%22%3Atrue%2C%22freedom_of_speech_not_reach_fetch_enabled%22%3Atrue%2C%22creator_subscriptions_subscription_count_enabled%22%3Atrue%2C%22tweetypie_unmention_optimization_enabled%22%3Atrue%2C%22longform_notetweets_consumption_enabled%22%3Atrue%2C%22subscriptions_verification_info_enabled%22%3Atrue%2C%22blue_business_profile_image_shape_enabled%22%3Atrue%2C%22tweet_with_visibility_results_prefer_gql_limited_actions_policy_enabled%22%3Atrue%2C%22super_follow_exclusive_tweet_notifications_enabled%22%3Atrue%7D',
'https://api.twitter.com/graphql/w9iN3QyYsynBlEXr9h6M2Q/TranslateProfileQuery?variables=%7B%22includeTweetImpression%22%3Atrue%2C%22includeHasBirdwatchNotes%22%3Afalse%2C%22includeEditPerspective%22%3Afalse%2C%22includeEditControl%22%3Atrue%2C%22rest_id%22%3A111%7D',
'https://api.twitter.com/graphql/hE1HCUzioO9QSLpvIBvvYA/TranslateTweetQuery?variables=%7B%22includeTweetImpression%22%3Atrue%2C%22includeHasBirdwatchNotes%22%3Afalse%2C%22includeEditPerspective%22%3Afalse%2C%22tweet_id%22%3A111%2C%22includeEditControl%22%3Atrue%7D'
]
const queryString = list
.map((x) => {
const tmpParse = new URL(x)
const tmpPath = tmpParse.pathname.split('/')
const operationName = tmpPath.pop()
const queryId = tmpPath.pop()
//operationType: "query"
const features = JSON.parse(tmpParse.searchParams.get('features') || '{}')
const variables = JSON.parse(tmpParse.searchParams.get('variables'))
const data = {
queryId: queryId,
operationName: operationName,
operationType: 'query',
metadata: { featureSwitches: Object.keys(features) },
features: features
}
return `export const _${operationName} = ${JSON.stringify(data)}`
//"metadata":{"featureSwitches"
})
.join('\n')
//writeFileSync('./androidQueryIdList.js', queryString)
取得返回内容
客户端接口返回内容的结构跟网页版 v2_timeline 接口的基本一致,具体情况请参考前段时间 Twitter Monitor 的提交(其实是我也记不清了)
常见的失败内容包括:签名错误,帐号过期,帐号被临时拉黑,其他错误请参考 Response codes and errors
// 临时拉黑
{ "errors": [ { "message": "Rate limit exceeded", "code": 88 } ] }
// 帐号过期
{ "errors": [ { "message": "Invalid or expired token", "code": 89 } ] }
// 签名错误
{ "errors": [ { "message": "Could not authenticate you", "code": 32 } ] }
一些别的
- 如果你拿到自己账号的
oauth_token和oauth_token_secret,也可以像 创建 OAuth 签名 那样创建签名去请求接口 关于有效期我自己也还在摸索,我的第一个有记录的帐号创建自Fri Jul 07 05:28:49 +0000 2023,如果后续情况有变我会更新本文风控非常严厉,勤换 ip 多屯号,有备无患有效期仅一个月,屯号无用目前的最优解并不是使用这些临时账号,而是用 新版TweetDeck (aka X Pro) 的 bearer token 去获取 guest token,观测脚本的结果 显示多数接口都能正常使用。- Nitter 的 相关 issue 里面还有各路人士提供了 js、python、golang、powershell、bash 的实现
- 截至目前 Twitter api 并不支持 ipv6,因此请准备 ipv4 连接
- 目前我使用 BANKA2017/twitter-monitor ~/apps/open_account 搭建私有帐号池,获取访客帐号的脚本分别部署在两台 vps 上面,每个月总共能获取到大约
250个访客帐号 - 关于选购代理池的事情我不熟悉,请查看 轻松创建一万个 Twitter 账号
参考
- Rate limit status
- App only authentication and OAuth 2.0 Bearer Token
- Twitter Developer Platform
- Creating a signature
- Web Crypto API
- github:entronad/crypto-es
- github:R.I.P. Nitter 🪦😭 (...unless?) #919
- gist:Twitter Official Consumer Key
- github:looks like X/twitter(?) broke something again #983
- Response codes and errors
- Twitter OAuth Signature Builder
- JADX
- 轻松创建一万个 Twitter 账号
- 各种群聊/推文/gist 的讨论结果